At the edge of tweaking

Menu

Disable Hardware BitLocker Encryption on Vulnerable SSDs

Yesterday, a vulnerablity was discovered in the hardware encryption implemented by some SSDs. Unfortunately, BitLocker in Windows 10 (and possibly Windows 8.1 as well) delegates the duty of securely encrypting and protecting the user's data to the drive manufacturer. When hardware encryption is available, it does not verify if the encryption is foolproof, and turns off its own software-based encryption, making your data vulnerable. Here is a workaround you can apply.

Even if you enable BitLocker encryption on a system, Windows 10 may not be actually encrypting your data with its software encryption if the drive conveys to the operating system that it is using hardware encryption. Even if your disk drive supports encryption, it may be easily broken due to the use of a blank passphrase.

A recent study shows that Crucial and Samsung products have plenty of issues with their SSDs. For instance, certain Crucial models have an empty master password, allowing access to the encryption keys. It is quite possible that the firmware used in other hardware by various vendors may also have similar issues.

As a workaround, Microsoft suggests disabling hardware encryption and switching to BitLocker's software encryption if you have really sensitive and important data.

First of all, you need to check which type of encryption your system is currently using.

Disable Hardware BitLocker Encryption

If you are a system administrator, enable and deploy the policy 'Configure use of hardware-based encryption for operating system drives'.

Disable Hardware BitLocker Encryption with Group Policy

If you are running Windows 10 Pro, Enterprise, or Education edition, you can use the Local Group Policy Editor app to configure the options mentioned above with a GUI.

Press Win + R keys together on your keyboard and type:

gpedit.msc

Press Enter.

Group Policy Editor will open. Go to Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives. Set the policy optionConfigure use of hardware-based encryption for operating system drives to Disabled.

Here, create a new 32-bit DWORD value OSAllowedHardwareEncryptionAlgorithms. Note: Even if you are running 64-bit Windows, you still need to use a 32-bit DWORD as the value type. Leave its value data as 0.

About Sergey Tkachenko

Sergey Tkachenko is a software developer from Russia who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Facebook, Twitter or Google+.